Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN

Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN

Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN


There are many guides online for setting up client based SSL for websites.

One of the best I've seen so far is dwheeler.com/essays/apache-cac-configuration.html

Now my question is this, and I am sure it is something simple.. How do I setup a server to grant access on a per-file basis, depending on the CN of the client?

If CN=kevinds how can I only allow access to secure.example.com/kevinds.html? CN=tuttle secure.example.com/tuttle.html but not have CN=tuttle access secure.example.com/kevinds.html

Per directory is ok if I have to, secure.example.com/kevinds/kevinds.html but would prefer to keep all files in the same directory..

I keep finding examples on how to allow any client signed by the CA access to all files.. Which works if there was only one certificate accessing the server.


NameVirtualHost \*:443

	<VirtualHost \*:443>

	  ServerName secure.example.com


## I have a feeling I should be putting the SSLCertificate lines under the NameVirtualHost rather than VirtualHost?

	  SSLCertificateFile    [Filename for server certificate]
	  SSLCertificateKeyFile [Filename for server certificate private key]
	  SSLCertificateChainFile [Filename for root chain certificate]

	  DocumentRoot /var/www/vhosts/secure

	  SSLOptions           +FakeBasicAuth "%{SSL_CLIENT_S_DN_CN}" +StrictRequire
	  SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128 
	  SSLVerifyClient	require
	  SSLVerifyDepth	10   #Will have to test but 10 should be sufficient to start?
	  SSLCACertificateFile [Same file as SSLCertificateChainFile ?  Is this needed?]

##This next part is the part I believe I have to tweak??  This allows everyone with a cert access rather than just the user to their specific file

	  AuthType             Basic
	  AuthBasicProvider    file
	  AuthUserFile         /var/www/vhosts/secure.txt
	  Require              valid-user


Am I close? Way off? Been at this for a few hours.. Feel like I am close now, but still far enough off that I need to ask for help.

> Minor Issue: Anybody know how to change my profile to TechnicalUser? lol I don't see a way yet to edit this..

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close